Richard Bejtlich's blog on digital security, strategic thought, and military history.

Wednesday, May 11, 2005

Multiple New Pre-Reviews

I've received many new books in the last two weeks. Here are some pre-reviews. First we have Mastering FreeBSD and OpenBSD Security by Bruce Potter, Paco Hope, and Yanek Korff, published by O'Reilly. I have been looking forward to this book for a while. I use both operating systems to build security appliances, and that sort of work is the subject of this book. I would have preferred if the authors avoided discussing Snort and ACID, though. This is the umpteenth time I've seen "IDS" boiled down to those two well-worn and not-very-effective "solutions." Snort, yes. ACID, no. I would have been less disturbed if at least BASE, the replacement for ACID, was profiled. But no. Still, this will be the first book in the pack I plan to read.

I'm a little worried about this new Snort book. First, imagine which Snort console is presented? You guessed it -- ACID. Ugh, no Sguil. This is a shame, as one of this book's authors attended the Sguil presentation I gave at the DC Snort Users Group meeting last June. Second, and more worrisome, the advice on taps is faulty. On p. 21, we read the following:

"If your Snort machine has only one network interface, using the passive tap, run both lines to a small hub. Then from another port of the hub, run a cable to your IDS. This will combine and maybe even buffer the traffic for the IDS and give a full duplex connection."

Wrong -- this is a nice way to never see traffic when full-duplex packets from the two transmit lines collide in the hub. The "maybe even buffer the traffic" part is funny, too. I wrote about this bad configuration in my first book and in this January 2004 post when I caught Finisar making the same mistake.

My penultimate O'Reilly book is Apache Security by Ivan Ristic. Ivan wrote the mod_security Apache module and maintains a Web Security Blog. I would describe mod_security as a policy enforcement system for Apache, but the common market-speak would be host IPS. Ivan sent me a copy of his book specifically to review (thank you), but I will not be able to get to it immediately. It looks like just the book for anyone wishing to deploy Apache securely, however.

I'm not sure when I'll get to this book, but I'll mention it anyway: InfoSec Career Hacking by Aaron W. Bayles, Chris Hurley, Johnny Long, and Ed Brindley. I'll read j0hnny's chapter on building a Knoppix-based test lab, but the others seem somewhat dubious. I don't see how a whole book could give advice on "landing (and keeping) a job in the infosec field." For example, the "incident response" chapter (11) looks extremely weak.